IIS_31547: The iis parsing for IPv6 logs #3315
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
🌐 Coverage report
|
There was a problem hiding this comment.
@ishleenk17, could you please add the error message that can be observed without the fix?
Hey @marc-gr, what is the usual way you deal with IPv6+Zone addresses?
| @@ -12,6 +12,9 @@ processors: | |||
| - grok: | |||
| field: event.original | |||
| ignore_missing: true | |||
| pattern_definitions: | |||
| #This IPV6 pattern changes the zone_id to match non-space characters | |||
| IPV6: ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%[^ ]+)? | |||
There was a problem hiding this comment.
That's one approach. I found in Beats also:
- Handle IPv6 zone id in IIS filebeat ingest pipeline beats#9869, provided by @jsoriano
- https://github.com/elastic/beats/blob/237937085a5a7337ba06f1268cfc55cd4b869e31/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml#L45 - IPTables implementation
I don't see that you're referring to IPV6. Is it a predefined pattern or you're overwriting it?
There was a problem hiding this comment.
Yes, it's a predefined pattern which I am overwriting here.
The error message is mentioned in the bug id associated with this (elastic/beats#31547).
Do I need to add it elsewhere ?
There was a problem hiding this comment.
It's probably a personal preference, but sometimes it's easier to read the PR when you've all details in the PR description and don't need to jump to the issue discussion. Definitely not a bug!
There was a problem hiding this comment.
Sure, got it. Added it to the PR description.
There was a problem hiding this comment.
I think I would prefer to define a new pattern instead of overwriting a existing one. If there are fixes in the original pattern we would be missing them.
There was a problem hiding this comment.
I think I would prefer to define a new pattern instead of overwriting a existing one.
If we do that, then it needs to overwrite that patterns that incorporate this like IPORHOST and IP.
If there are fixes in the original pattern we would be missing them.
If there are fixes in IPV6 we won't get them if we define a new pattern either. By redefining the pattern at least we can still get fixes for the patterns that build upon IPV6 (like IPORHOST).
There was a problem hiding this comment.
I can't say I have a strong preference 😄 , but I did want to make a case for the other side.
I wish there was as built-in pattern for IPV6 without the zone so we would not need to redefine such a long pattern (like IPV6 = BUILTIN_IPV6_NOZONE + CUSTOM_IPV6_ZONE_NOTSPACE).
There was a problem hiding this comment.
I agree, if we don't change in IPV6, the it would be like overwriting IPOHOST type of patterns.
Hence it would be better to overwrite IPV6.
@andrewkroh @jsoriano What does it take to add a new pattern to the builtin patterns ? If we want to add the zone specific pattern there.
There was a problem hiding this comment.
What does it take to add a new pattern to the builtin patterns ? If we want to add the zone specific pattern there.
We could open an issue (or pull request) in Elasticsearch for this change, but we would need a solution in any case till the change arrives to a released version.
But looking through issues in Elasticsearch it seems that this format is not going to be supported: elastic/elasticsearch#22400 (comment)
packages/iis/data_stream/access/_dev/test/pipeline/test-iis-access-72.log-expected.json
Outdated
Show resolved
Hide resolved
| @@ -12,6 +12,9 @@ processors: | |||
| - grok: | |||
| field: event.original | |||
| ignore_missing: true | |||
| pattern_definitions: | |||
| #This IPV6 pattern changes the zone_id to match non-space characters | |||
| IPV6: ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%[^ ]+)? | |||
There was a problem hiding this comment.
I think I would prefer to define a new pattern instead of overwriting a existing one.
If we do that, then it needs to overwrite that patterns that incorporate this like IPORHOST and IP.
If there are fixes in the original pattern we would be missing them.
If there are fixes in IPV6 we won't get them if we define a new pattern either. By redefining the pattern at least we can still get fixes for the patterns that build upon IPV6 (like IPORHOST).
packages/iis/data_stream/access/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
Usually no space between the `#` and the comment is reserved for commented out code/data.
There was a problem hiding this comment.
The changes looks good as jointly reviewed with @ishleenk17
What does this PR do?
This PR addresses the issue of parsing access logs in IIS with IPv6 addresses.
The below log is one of the failure scenario.
2022-03-13 02:04:11 fe81::63ae:94c0:196e:8adf%3 GET /pbserver/..Áœ..Áœ..Áœ..Áœ..Áœ../winnt/system32/cmd.exe /c+dir+c:+/OG 8080 - fe81::63ae:94c0:196e:8adf%3 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0) - 200 0 0 12 81.2.69.143,81.2.69.144
Pipeline Test Results:
Run pipeline tests for the package
--- Test results for package: iis - START ---
FAILURE DETAILS:
iis/access test-iis-access-72.log:
[0] unexpected pipeline error: For input string: "81.2"
This new IPV6 pattern changes the zone_id to match non-space characters
Checklist
changelog.ymlfile.How to test this PR locally
To test this PR, test the ingest pipeline by running elastic-package test pipeline -v -g
Related issues